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Abstract. A new upper bound for the number of finite fields over which 
pairing-friendly elliptic curves may exist is given. Several heuristic asymptotic 
formulas are presented on the number of isogeny classes of some kinds of elliptic 
curves. Especially we heuristically analyze the Cocks-Pinch method to confirm 
some of its general consensuses, such as many curves possible and with p- value 
around 2. 



1. Introduction 

1.1. Motivation. Mainly inspired by the following pioneering works: three-party 
one-round key agreement [16], identity-based encryption [4, 24], short signature 
schemes [6], easing the cryptographic applications of pairings [27] and efficient com- 
putations of pairings associated to elliptic curves [20], there has been a flurry of 
activity in the design and analysis of cryptographic protocols by using pairings on 
elliptic curves. More in-depth studies of pairing-based cryptography can be found 
in the expository articles [14] and [23], and in the extensive research literature. 

The elliptic curves suitable for implementing pairing-based systems should have a 
small embedding degree with respect to a large prime-order subgroup, we call them 
pairing-friendly elliptic curves. More precisely, a pairing-friendly elliptic curve over 
a finite field F 9 contains a subgroup of large prime order I such that for some k, 
£\q k — 1 and I \ q % — 1 for < i < k, and the parameters q, £ and k should satisfy 
the following conditions: 

• t should be large enough so that the DLP in an order-^ subgroup of E(W q ) 
is infeasible. 

• k should be sufficiently large so that the DLP in F* fc is intractable. 

• k should be small enough so that arithmetic in ¥ q k is feasible. 

Here k is called the embedding degree of E with respect to £, and the ratio 
called the p-value of E with respect to £. There is a specific definition for pairing- 
friendly elliptic curves in [12, Definition 2.3], i.e. they should meet £ > Jq and 
< log 2 (i)/8. 

These conditions make pairing-friendly curves rare, and they can not be con- 
structed by random generation. This naturally produces two important problems: 

• Finding efficient constructions of pairing-friendly curves. 

• Analyzing these constructions, including the frequency of curves constructed, 
efficiency, security level, etc. 
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Obviously, supersingular elliptic curves are the natural candidates for such con- 
structions. However, on one hand due to MOV attack [19] and Frcy-Riick reduction 
[13], supersingular curves are widely believed to have some cryptographic weak- 
nesses; on the other hand, for supersingular curves the embedding degree k has 
only 5 choices, i.e. k G {1,2,3,4,6}. Thus, it seems quite important to construct 
ordinary curves with the above properties. 

After consecutive efforts of many researchers, several methods for constructing 
ordinary curves are found, but they yield only a few rather thin families of such 
curves. An exhaustive survey can be found in [12], furthermore the authors there 
gave a coherent framework of all existing constructions. Unfortunately, none of 
these constructions has been rigorously analyzed. Even heuristic analysis is far from 
sufficiency except for the so-called MNT curves [21]. For the heuristic analysis of 
MNT curves, sec [17, 26]. Most recently, a heuristic asymptotic formula for pairing- 
friendly curves over prime fields is presented in [8] , some heuristic arguments about 
Barreto-Naehrig family [2] are also given therein. 

It is widely accepted that the Cocks-Pinch method [9] is the most flexible algo- 
rithm for constructing pairing-friendly curves, such as with many curves possible, 
with arbitrary embedding degree, with prime-order subgroups of nearly arbitrary 
size and so on. This makes it one of the two most general methods in the literature, 
the other one is the Dupont-Enge-Morain method [10]. 

In this paper, firstly we continue the counting approach of [17, 18, 26] for pairing- 
friendly curves. We give a new upper bound for the number of finite fields over which 
pairing- friendly curves may exist, which seems to have slight improvement upon the 
previous bounds. Heuristic asymptotic formulas for the number of ordinary curves 
and for the number of ordinary pairing-friendly curves are also derived respectively 
by following the method of [8]. 

Secondly, we analyze heuristically the Cocks-Pinch method to confirm some of 
its general consensuses, such as many curves possible and with p-value around 2. 
Through different approaches, we also give different heuristic asymptotic formulas 
both for the number of isogeny classes of curves constructed by the Cocks-Pinch 
method and for the number of isogeny classes of such constructed pairing-friendly 
curves. 

1.2. Notations and Conventions. Let be the fc-th cyclotomic polynomial. 
The existing constructions of ordinary curves with small embedding degree typically 
work in the following two steps. 

(1) Find a prime £, integers k > 2 and t, and a prime power q such that 
(1.1) \t\<2^q, gcd(g,t) = l, 1,2, t\q+l-t, *|$ fc (g). 

(2) Construct an elliptic curve E over ¥ q with |_E(F g )| = q+ 1 — t. 

Since £|$fe(g), k is the multiplicative order of q modulo £ and then k\£ — 1. 
For satisfying the practical requirements, k should be reasonably small, while the 
p- value should be as small as possible, preferably close to 1. 

Unfortunately, the second step above is feasible only if t 2 — 4q has a very small 
square-free part; that is, if the so-called CM norm equation 



(1.2) 



4g = t 2 + Du 2 
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with some integers u and D, where D is a small square-free positive integer. In this 
case, for example D < 10 13 (see [25]), E can be efficiently constructed via the CM 
method (see [1, Section 18.1]). 

Through out the paper, the notations U = 0(V) and U -C V are both equivalent 
to the inequality \U\ < cV with some constant c, while U = o(V) means that 
U/V — > and U ~ V means that U/V —> 1, respectively. 



2. Statistics of ordinary pairing-friendly curves 

2.1. Upper bound for the number of ordinary pairing-friendly curves. 

For positive real numbers x, y and z, let Qk{x, y, z) be the number of prime powers 
q < x for which there exist a prime I > y and an integer t satisfying Conditions 
(1.1) and (1.2) with some square- free positive integer D < z. We also denote by 
Ik{x, y, z) the number of pairs (g, t) of prime powers q < x and integers t such that 
Conditions (1.1) and (1.2) are satisfied with some prime i~>y and some square-free 
positive integer D < z. That is, Ik{x, y, z) is exactly the number of isogeny classes 
of the corresponding ordinary elliptic curves. 

The function Qk(x,y,z) was first introduced in [17], The authors provided an 
upper bound for it therein and improved this bound in [18]. In [26], by introduc- 
ing and bounding the function Ik{x,y,z) the authors obtained a better bound for 
Qk(x,y, z), namely, 

(2.1) Q k (x,y,z) « ^Xzy- 1 +x 1 ' 2 )z 1 ' 2 - 1( 



log log X ' 

where tp is the Euler's totient function. 

We will see that the new bound presented here gives slight improvement upon 
the inequality (2.1) in the instance of main practical interest. 

Theorem 2.1. For any integer k > 2 and positive real numbers x,y and z, we 
have 

(2.2) h(x,y, Z )«f^. 

log log X 

Proof. The number of primes I satisfying Condition (1.1) is 0( v ^\°gx ) , see [26, 
Formula (7)]. 

Next, we estimate the probability that q is a prime power. Here we borrow an 
idea from [8, Section 1]. For a given positive square-free integer D, we consider the 
element 

a = 2 

of the imaginary quadratic field Q(y/—D). Since a is a root of X 2 — tX + q, a is 
an algebraic integer. If we denote by Af(-) the absolute norm of Q(v— D), then 
Af(a) = q. We also notice that gcd(t,q) = 1 from Condition (1.1). Thus, the 
condition that q is a prime power is equivalent to the condition that a generates 
a principal prime ideal power of Q(y/—D). Denote by n(x) the number of prime 
ideals of Q(y/—D) with norm bounded by x, the prime ideal theorem gives 



7r(x) ~ xj log x. 
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Then the number of prime ideal powers of Q(V~-D) with norm bounded by x is 
bounded by 

log X 

^2 x 1/k /\og(x 1/k ) < x/\ogx + x 1/2 \ogx = 0(x/\ogx). 

k=l 

So the number of principal prime ideal powers of Q(V — D) with norm bounded by 
x is 0(j- 2 — ). Note that when £ is fixed, q must be congruent to t — 1 modulo £. 
Hence, for fixed £ and D, the number of prime q < x satisfying Conditions (1.1) 
and (1.2) by varying t and u is O(j^). 

It is well-known that there are (6/ir 2 +o(l))z positive square-free integers D < z 
as z — > oo, for example see [15, Theorem 334]. Therefore, we get 

ip(k)\ogx x ip(k)xy~ 1 z 
log log x y log x log log x 

□ 



I k (x,y,z) < 



Assume that y > a; 1 / 2 + ( 1 ) and z = x°^ which is the most interesting case from 
the cryptographic point of view. Then (2.2) becomes 

4(x, 2 /,z)« 2; 1 /2+o(l), 

which can be compared with the number a; 3 / 2 + ( 1 ) Q f all possible isogeny classes 
(i.e. of pairs (q,t)) of elliptic curves over finite fields with cardinality q < x. Thus, 
one can not expect to generate suitable elliptic curves by random selection. 

In particular, under the assumption z = x°^\ the bound in (2.2) is slightly 
better than that in (2.1). Recall that there is a heuristic lower bound of Ik{x, y, z) 
under some assumptions in [26, Section 2.3], that is 

h(x, V, z) > c(e, k)xy~ 1+£ z 1/2 , 

where c(e, k) depends only on e and k. Compared with (2.2) this lower bound is 
very tight. 

Notice the trivial inequality Qk(x,y, z) < Ik{x,y, z), we get the following corol- 
lary. 

Corollary 2.2. For any integer k > 2 and positive real numbers x,y and z, we 
have 

n , n, „ p{k)xy- 1 z 

(2.3) Qk[x, y, z) < — — . 

log log X 

2.2. Heuristics of ordinary elliptic curves. We would like to consider the quan- 
tity Jfe,£)(a;), which is the number of pairs (q, t) of primes q and integers t such that 
Conditions (1.1) and (1.2) are satisfied with q < x and £ < x. Namely, Jk,o{x) is 
exactly the number of isogeny classes of the corresponding ordinary elliptic curves. 

By Hassc's bound, we have £ < (s/x + l) 2 when q < x. The reason that we 
define Jk.D{ x ) satisfying q < x and £ < x is for the conveniences of statements and 
for the simplicities of formulas. 

To get an asymptotic formula for Jk^{x), we follow the method in [8, Section 
1]. We also need the following well-known lemma, which can be gathered from [28, 
Chapter 2]. 

Lemma 2.3. Let k > 1 be an integer and £ \ k a prime. Then the following 
statements are equivalent. 
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(1) <&k(X) has a root modulo £. 

(2) can be factored into distinct linear factors modulo £. 

(3) £ splits completely over the cyclotomic field Q(Ck)- 

(4) k\e-i. 

Theorem 2.4. For any integer k > 2 and any positive real number x, the following 
heuristic asymptotic formula holds. 

w D x f x dz 

Jk,D{X) 



h d log x J 3 z 2 log z ' 

where hp is the class number of Qi^—D) and wd is the number of roots of unity 

Proof. Let £ > 2 be any integer. The probability that £ is prime is l/\og£, here 
we use the regular heuristic that the probability of a random integer n to be prime 
is 1/ log n. Since k has finitely many prime factors, for an arbitrary prime £, the 
probability that £ \ k is 1. For making £\&k(q) possible, k must divide £ — 1 by 
Lemma 2.3. Notice that there are <p(k) residue classes modulo k consisting of 
integers prime to k, the probability that £ is prime and k\£ — 1 is -^jj^j- 

Since k > 2 and k\£ — 1, we must have £ > 3. For an arbitrary integer t, since 
the degree of is ip(k), we can assume that the probability that $fc(i — 1) = 
(mod £) is 

Assume that Aq = t 2 +Du 2 with q prime and q\t. We can deduce that (q, t, D) = 
(2, ±2, 2) or (q, t, D) = (3, ±3, 3). So excluding these two cases, Aq = t 2 + Du 2 with 
q prime implies gcd(g, t) = 1. 

Now we estimate the number of primes q < x satisfying Condition (1.2). We 
consider the element 

t + Uyf^D 

a = 2 

of Q(\/—D). We have known that a is an algebraic integer, Af(a) = q and Af(a — 
1) = q + 1 — t. So the condition that q is prime is equivalent to the condition that 
a generates a principal prime ideal of Q(y/—D) whose underlying prime number is 
not inert in Q(\/—D). By the prime ideal theorem for ideal classes, the number of 
principal prime ideals of <Q(y/—D) with norm bounded by x is equivalent to fep - 
as x — > oo. Notice that the number of prime ideals of Q(V — D) with norm bounded 
by x and underlying prime number inert is 0( lo ^/^r ) as a; — > oo. So the number of 
principal prime ideals of <Q(y/—D) with norm bounded by x and underlying prime 
number not inert is equivalent to /lr> f og x as x — > oo. In the ring of integers of 

Q(y/—D), the units are exactly the roots of unity in Q(y/—D). For any such root 
of unity (3^1, a/3 and a generate the same ideal but a/3 a. Note that here we 
count the number of isogeny classes, ±7t correspond to the same isogeny class when 
t and q are fixed. Thus, the number of primes q < x associated to twosomes (t, ±ti) 
is equivalent to „, t "? 3: — as x — > oo. 

^ 2h r> log x 

Here we try to determine the decomposition nature of £ over Q(y/—D). We 
claim that £ splits completely over Q(y/—D) under the Conditions (1.1) and (1.2). 
Indeed, if £\t - 2, then £\q - 1, it contradicts k > 2. Since £\(t - 2) 2 + Du 2 , -D 
must be square modulo £. Hence, £ splits completely over Q(y/—D). 



(i 
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At last, we estimate the probability that £\q + 1 — t for a given prime I. Note 
that Mia, — 1) = q + 1 — t. So £\q + 1 — t if and only if there exists a prime ideal p 
lying above £ and dividing a — 1. Let p be a prime ideal lying above I. Then we can 
assume that the probability that a random algebraic integer (3 satisfies j3 = (mod 
p) is 1/M(p) = l/£- Notice that there are two distinct prime ideals lying above £, 
then the probability that l\q + 1 — t for a given prime £ is 2/1. 

Therefore, we have 

x - 1 wdx 2 



Jk,D{x) 



^ x V{k)\og£ £ 2h D \ogx £ 
wd% f x dz 



ho log x J 3 z 2 lo 



□ 



We would like to indicate that k doesn't appear in the above asymptotic formula. 
It is well-known that wd is given by the following formula 

f 4 if D= 1, 
wo = i 6 if D = 3, 

[2 if D = 2 or D > 3. 

Furthermore, by Dirichlet's class number formula of imaginary quadratic fields, we 
know 

^DwdLd/tt if D = 1,2 (mod 4), 
\/Dw D L D /i2n) if D = 3 (mod 4), 

where Ljj = X) (^r) l n= II (l ~ (~zP) /p) anc ^ ^ s tnc J ac °bi symbol. 



Corollary 2.5. For any integer k>2 and any positive real number x, we have the 
following heuristic lower bound and upper bound: 

■ <Jv,0) +0(1) 



v 6/id log 3 / log x \ 3/i £> log 3 / log x 

Proof. Integrating by parts, we obtain 

dz 1 1 f x dz 



Then we have 



z 2 log2; 3 log 3 xlogx J 3 z 2 (logz) 



\, 1 1 , f x dz 



2 3 log 3 x log x J 3 z 2 log z 3 log 3 x log x 
Now the desired result follows easily. □ 

To confirm that the family of ordinary pairing-friendly curves is thin, we define 
Kk,D{x) as the number of pairs (g, t) of primes q and integers t such that Conditions 
(1.1) and (1.2) are satisfied with q < x and y/x < £ < x. Applying the same 
argument as the proof of Theorem 2.4, we get the following theorem. 

Theorem 2.6. For any integer k>2 and any positive real number x, heuristically 
we have 

w D x f x dz 

K k ,D{X) ~ — / -JT . 

h D log a; z l logz 
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Corollary 2.7. For any integer k>2 and any positive real number x, we have the 
following heuristic bounds 

h D J (logo;) 2 \h D J (logx)^ 

3. Heuristics of Cocks-Pinch method 

3.1. Background on Cocks-Pinch method. In an unpublished manuscript [9], 
Cocks and Pinch proposed an algorithm for constructing pairing-friendly curves 
with arbitrary embedding degree. More precisely, see [12, Theorem 4.1] or [14, 
Algorithm IX. 4], fix an embedding degree k and a CM discriminant D, then execute 
the following steps. 

(1) Choose a prime t such that k\£ — 1 and — D is square modulo I, 

(2) Choose an integer g which is a fc-th root of unity in (Z/IZ)*. 

(3) Put t' = g + 1 and choose an integer u' = (f — 2)/y/—D (mod £). 

(4) Let t 6 Z be congruent to t' modulo £, and let u <G Z be congruent to v! 
modulo I. Put q = (t 2 + Du 2 )/4. 

(5) If q is an integer and prime, then there exists an elliptic curve E over ¥ q 
with an order-£ subgroup and embedding degree k. If D is not to large, 
then E can be efficiently constructed via the CM method. 

Let Fk t o(x) be the number of isogeny classes of elliptic curves constructed by 
Cocks-Pinch method with fixed k and D satisfying q < x and £ < x. We denote by 
Hk,D(x) the number of isogeny classes of elliptic curves constructed by Cocks-Pinch 
method with q < x and ^fx < I < x. In the sequel, we will heuristically get two 
asymptotic formulas for F^^ix) by different methods, so as for Hk,o{x). 

3.2. Heuristics from algebraic number theory. In this subsection, we want 
to give some heuristic arguments based on algebraic number theory as [8]. 

Theorem 3.1. For any integer k > 2 and any positive real number x, we have the 
following heuristic asymptotic formula 

/o -i \ 77 { \ w dx f x dz 

3.1) F k>D (x) - — — / — . 

2h D log x J 3 z* log z 

Proof. Let £ > 2 be any integer. Then the probability that £ is a prime such that 
k\£ — 1 and — D is square modulo £ is ■ -^j^ ■ | = 2v {k) \ og e - When £ is fixed, 
the number of choices of g is f{k). After fixing g, t' is fixed and u' has two choices. 
Since k\£ — 1 and k > 2, we have £ > k + 1. 

Note that here we count the number of isogeny classes, ±it correspond to the 
same isogeny class when t and q are fixed. Here we also notice that if t' and v! are 
fixed, then the residue classes modulo £ which t and u belong to are fixed, As the 
proof of Theorem 2.4, then the expected number of primes q < x associated to a 
triple (£, t',u') is equivalent to 2 e' 1 hD\ogx as x ~~ ^ 00 ■ 

Therefore, we have 



. x 2ip(k)\og£ ry ' 2Ph D \ogx 

wdx f x dz 
2h D log x J 3 z 2 log z ' 



□ 
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Corollary 3.2. For any integer k>2 and any positive real number x, we have the 
following heuristic bounds 

( ' o(l)) ^-< Fk , D {x)<(-^- + 0(1) 



\12/i_Dlog3 / logx ' \6/i£)log3 / logx 

Compared Theorem 3.1 with Theorem 2.4, roughly speaking, the heuristics sug- 
gest that one half of the ordinary elliptic curves of embedding degree at least 2 with 
respect to a prime-order subgroup can be theoretically constructed by the Cocks- 
Pinch method. This can explain why Cocks-Pinch method is highly important. 

Similarly, we can heuristically get an asymptotic formula for H^^x), which 
says that the Cocks-Pinch method can produce one half of ordinary pairing-friendly 
curves when k > 2. 

Theorem 3.3. For any integer k > 2 and any positive real number x, the following 
heuristic asymptotic formula holds, 

w D x f x dz 

H k ,D{X) 



2ho logx J z 2 log z 

Corollary 3.4. For any integer k > 2 and any positive real number x, the following 
heuristic bounds hold, 

^+o(l))-^<H k , D ( X )<(^ + o(l ]j(] 
2hD J ilogxY \h D J (logx 

It is widely accepted that the p- value of curves produced by Cocks-Pinch method 
tends to be around 2. Now we give some heuristic arguments to verify this consen- 
sus. 

Let po be a real number such that 1 < pa < 2. Then we denote by Gk,D,p (x) 
the number of isogeny classes of curves constructed by Cocks-Pinch method with 
fixed k and D satisfying I < x and q < l Po . 

Theorem 3.5. For any integer k > 2, positive real numbers x and 1 < po < 2, 
heuristically we have 

w D xP"- 1 



2po(po - l)fiD (logx) 2 ' 
Proof. Applying the same arguments as the proof of Theorem 3.1, we get 



. x 2tp(k)\og£ ^ ; 2Pp Q h D log£ 
wd f x dz 



2p h D J 3 z 2 ~ p " (log zf 

w D x Po_1 
2/Oo(po - l)h D (logx) 2 ' 



□ 



Comparing Corollary 3.2 with Theorem 3.5, we can see that when po is close to 
1, the curves with p- value po are rare among the whole family constructed by the 
Cocks-Pinch method. 
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3.3. Heuristics from Bateman-Horn conjecture. The Bateman-Horn conjec- 
ture has been used to analyze some constructions of pairing-friendly elliptic curves, 
sec [8, 26], it also can yield a heuristic result about Fk.o{x) similar to Theorem 3.1. 

The Bateman-Horn conjecture provides a conjectured density for the positive 
integers at which a given system of polynomials all have prime values, see [3]. We 
recall it here for the conveniences of readers. 

Given any finite set JF = {/i, f%, ■ ■ ■ , fm} consisting of irreducible polynomials 
/i(T), • • • , /m(T) £ Z[T] with positive leading coefficients and such that there is no 
prime p with p\fi(n) ■ ■ ■ f m (n) for every integer n > 1, Bateman-Horn conjecture 
says 
(3.2) 

C{F) f x dz 



|{1 < n < X : /i(n), • • ■ ,/ m (n) are all prime}| ~ — / 

dcg ft ■ ■ ■ deg f m J 2 

.e conditionallj 

c{p)= n 



(log z) 7 



where C{F) is given by the conditionally convergent infinite product 

l-u p {F)/p 

(1 - l/p)m ' 
p prime 

and 

Up(F) = |{1 < n < p : h{n) ■ ■ ■ f m {n) = (mod p)}|. 
Based on the following lemma, we can get another version of Bateman-Horn 
conjecture, that is, 
(3.3) 

C(J-~) X 

\{1 < n < X : /i(n), • • • , f m (n) are all prime}| ~ — 7 -— , 

deg/i • • -deg/ m (\ogX) m 

which we will use in this paper. We are sure that the lemma is well-known. It is 
more convenient to give a simple proof other than find some references. 

Lemma 3.6. We have 

rX dz X 



x f x dz 



(logz)™ (logX) 
Proof. Integrating by parts, we obtain 



x 



dz z 



(logz)™ (\ogz) m 2 J 2 (logz) 



\m+l 



and 



x 



d 



z 



x , \ f dz 

+ (m+ 1) 



(logz) m+1 (logz) m+1 2 ' J 2 (\ogz) m + 2 ' 

For sufficiently large X, we choose an integer M < X such that log M > m + 1. 
Then we have 

x dz f AI dz 1 f x dz 

< 



(logz) m+2 ~y 2 (logz) m+2 logAf J M (logz) m+1 
Thus, we get 

rX dz X 



(\ogz) m+1 (\ogX) m+1 ' 
Finally we have 

fX dz X 



(log z) m (log xy 
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Notice that the ring of integer of Q(^/ ::^ D) is Z®Z, 1+ \ D if D = 3 (mod 4) and 
otherwise is Z © Z\/-D if D = 1 or 2 (mod 4). Since it needs that a = ttli^EM 
is an algebraic integer of Q(y/—D), t and u have the same parity if D = 3 (mod 
4), and otherwise both of them are even. So when we want to count the number of 
twosome (t, u) such that q = 1 is prime, for simplicity we only need to deal 

with the case that t and u are even. 

Theorem 3.7. For any integer k>2, any positive real number x and D = 1 or 2 
(mod 4), heuristically we have 

(3-4) ^(z)--^/" * 

V D log x J 3 z l log z 

where 



prime p > 3 



Proof. As the proof of Theorem 3.1, for an arbitrary integer I > 2, the probability 
that ^ satisfies Steps (1), (2) and (3) is l/\og£. Moreover we must have £ ^ 2. 

Since D = 1 or 2 (mod 4), i and u must be even. So it is equivalent to count the 
number of twosome (£, u) such that q = i 2 + Dit 2 is prime with q < x. Then for the 
integers t and u, we have t < y/x and u < y^x/D. By the prime number theorem, 
we can assume that the two intervals [1, x] and [x + 1, 2x] contain the same number 
of primes. Now we first count the number of (i, u) with q = t + Du 2 prime, t < \fx 
and u < ^Jx/D, and then divide the result by 2. 

For every positive integer u < y/x/D, let f u (T) = T 2 + Du 2 G Z[T]. After 
testing the required conditions, by Bateman-Horn conjecture we have 



\{1 < t < \fx : f u {t) is prime}| 

c(fu)= n 



logx 

where 

1 - Wp(/u)/P 



1 - 1/p ' 
p prime 

and 

w p (/„) = |{1 <n<p: n 2 = -Du 2 (mod p)}\. 
It is easy to see that 



Wp(/„) = 

Put 



1 if p = 2 or 



ff(«) = 



1 if p > 3 and p f u. 
p-1 



p > 3,p\v P - 1 ^ 

We also set g(l) = <?(2™) = 1 for any n > 1, this makes <?(u) a multiplicative 
function. Notice that 



— 

C(/i) = C(/ 2 ) = 



p-1 

prime p > 3 
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Obviously, C(f u ) = C(/i) • g(u). Then we have 

\- C(f u )y/E C(/l)Vi X ^ , , 

^ log a; log a; ^ 

l<u<yfx/D l<u<y/x/D 

Here we need an asymptotic formula for 

S(X)= J2 9(u). 

l<u<X 

Notice that g(u) is a multiplicative function. Since 1 — 1/p < g(p) < 1 + - for any 
prime p, we have 

E *<p> = a+*))^- 

prime p < X 

Then by a well-known result of Wirsing [29, Satz 1] concerning about the sum of 
multiplicative functions, we have 

S(X) = (C g + o(l))X, 
where C g = U i 1 + — + ^r 1 + • • • X 1 ~ Note that the constant C g is 

prime p 

different from the original version, see [11, Propostion 4]. 

Notice that g(p n ) = g{p) for any prime p and any n > 1. Then we have 

p—1 I 1 



n I „ _ i _ / -g 

prime p > 3 \ " \ p 



and thus 



Hence 



cc/i)c.= n ( i -(-?)/f)=^ 



prime p > 3 



V ^^ = (c D + (i))^ 7 £^-. 

^ logcc -/Dlogx v^Dlogx 

l<U<y/x/D 

Note that i can be taken negative integer. We also note that if t' and u' are 
fixed, then the residue classes modulo I which t and u belong to are also fixed. So 
the expected number of primes q < x associated to a triple (£,t',u') is equivalent 
to 

1 C D x J_ C D x 

2 ' y^Dlogx ' i 2 ~ e 2 VDlogx 

as x — > oo. 

Therefore, we have 

C D x 



V^D log x J 3 z 2 log z 

□ 

If we compare Theorem 3.1 and Theorem 3.7, we can see that these two heuristic 
asymptotic formulas are very close. 
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Corollary 3.8. For any integer k > 2, any positive real number x and D = 1 or 
2 ( mod 4 ), we have the following heuristic bounds, 

C ° ■o(l)) ^~ < Fk,D(x) < ( +0(1) 



,3/Dlog3 J logx ' \i^/D\og?, J logs' 

Theorem 3.9. For any integer k > 2, any positive real number x and D = 3 (mod 
4 ), heuristically we have 

(3.5) F k , D (x) > (S? + o(l) 



,3/Dlog3 / logs' 

Proof. Since D = 3 (mod 4) , t and u have the same parity. For simplicity, here we 
only deal with the case that both t and u are even. As the proof of Theorem 3.7, 
wc obtain 



F k , D (x) > (l + o(l)) 



2CdX f x dz 



D log x J 3 z 2 lo § z 



3\/^Dlog3 / logx' 

□ 

When D = 3 (mod 4), if we furthermore assume that the case that t and u are 
even and the other case make the same contribution, then we can get 

Fk,D{X) ~ -7=- / . 

VD logx J 3 z 2 \ogz 

Similarly, we can also easily get a heuristic asymptotic formula for Hk^ix) by 
using Bateman-Horn conjecture. 

3.4. Remark. Boneh, Rubin and Silverberg [7] have found that the Cocks-Pinch 
method can be used to construct elliptic curves with embedding degree k with 
respect to £, where t is a large composite number. This kind of elliptic curves was 
first used by Boneh, Goh and Nissim [5] for partial homomorphic encryption, and 
now they have a number of other important applications in cryptography. Following 
the methods in this section, we can also get some heuristic results about these curves 
without difficulties. 
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